Strategies for Fortifying Corporations Against Ransomware Invasions Akin to REvil
In a recent cyber-attack, the REvil group exploited a zero-day vulnerability in Kaseya's Virtual System Administrator (VSA) server software, causing ransomware to rapidly spread to many of Kaseya's customers, including managed service providers (MSPs) and their clients.
The incident response (IR) landscape has evolved to encompass both proactive and reactive services, which can now be delivered remotely. One of the organizations that has provided an IR contract for quick deployment of response teams for attacks similar to the REvil-style attack is VdS Schadenverhütung GmbH, a member of CFPA Europe.
Modern management plays a crucial role in facilitating faster remediation. Integrated workflows and automated actions on discovered vulnerabilities enable greater efficiency in addressing security issues. Moreover, modern management allows for more robust access controls by gathering contextual data about users, applications, and devices.
Investing in detection-based security tooling is essential to detect and correlate user, app, device, and network behavioural patterns. Endpoint detection and response (EDR) and network detection and response (NDR) tools improve security operations teams' visibility into fileless and zero-day attacks.
IR retainers eliminate the time lost to vendor negotiations and paperwork when facing an incident, allowing an increased focus on response actions. These retainers cover a scope of services beyond the operation and configuration of security tools like EDR and NDR.
Organisations should update their security infrastructure across all PCs from signature-based antivirus to tools that can detect fileless malware and analyse behavioural patterns. Additionally, modern management models can reduce attack vectors/surfaces by diversifying update channels.
Zero-trust network access (ZTNA) is a critical area of investment for modern management deployments, as it ensures that only authorised users and devices have access to resources, even within the internal network.
When considering IR offerings, it's essential to carefully review response time service-level agreements (SLAs) and those governing the completeness of remediation or recovery efforts. Be cautious about IR providers promoting "no upfront cost" or "zero-dollar" incident retainer programs, as they often come with limitations.
The perpetrators used Kaseya infrastructure to deploy a compromised version of a Microsoft Defender executable, highlighting the need for continuous vigilance and the importance of a multi-layered security approach. Security leaders must employ a combination of tools and techniques to protect their organisations against ransomware attacks of this nature.
In conclusion, the Kaseya VSA ransomware attack serves as a stark reminder of the ever-present threat of cyber-attacks. Organisations must invest in modern management, detection-based security tooling, IR retainers, and zero-trust network access to bolster their defences and respond effectively when faced with such threats.
